A doctor working for a hospital managed by the Hospital Authority has lost a USB flash drive containing personal data of 47 patients, including their names, ID numbers, sex, age and operation records.

The doctor is from the Ophthalmology Department of United Christian Hospital, part of the Kowloon East Cluster (KEC).

According to the spokesperson of the KEC, the relevant data were not exported or download from the Hospital Authority’s Clinical Management System.

Failing to locate the device despite repeated searching, the doctor reported the incident to the hospital management and the Police on 23 March. On the same day it was also reported to Hospital Authority Head Office through the Advanced Incidents Reporting System, and the Office of the Privacy Commissioner for Personal Data was informed.

The device also contained some work related files. The hospital said that the incident would not affect concerning patients’ treatment.

According to the guidelines established by the Hospital Authority, any hospital staff using removable electronic storage devices for operational needs should apply for the approval from the Chief Executive of the hospital. The staff concerned was found not to have complied with these data security guidelines.

KEC is setting up an independent panel to investigate the incident and disciplinary action will be taken according to the policy if any human errors are identified.

“Staff members have been reminded again to strictly follow the established protocol on protecting data and privacy of patients,” said a statement by the Hospital Authority.

Regular training sessions have been provided for staff of all grades and ranks on protection of patient data and privacy.

January last year, a similar incident happened in the same hospital. During an interview with FutureGov, Andre Greyling, CIO of the Hospital Authority said the earlier incident was the biggest challenge the IT department had to deal with in 2008.